Summary: | <www-apps/redmine-5.0.6: multiple XSS vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | ajak, azamat.hackimov, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.redmine.org/projects/redmine/wiki/Security_Advisories | ||
See Also: | https://github.com/gentoo/gentoo/pull/33748 | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2023-11-05 17:10:48 UTC
FWIW I encountered a minor issue trying to use this ebuild: it permits deckar01-task_list-2.3.3, but the Gemfile for 5.0.6 requires 2.3.2. Upstream has not moved to 2.3.3 in any branch that I can find. I didn't want to fight through surprise issues so I just set =2.3.2 in the ebuild. That required forgoing claiming ruby32 compat because the deckar01-task_list-2.3.2 in ::gentoo has USE_RUBY only up through ruby31. I don't actually see anything in https://gitlab.com/deckar01/task_list that makes me think 2.3.2 won't work w/ruby 3.2, but I didn't look very closely. ...Bah, I probably should have commented on https://github.com/gentoo/gentoo/pull/33748 instead of here. (In reply to Hank Leininger from comment #1) > I didn't want to fight through surprise issues so I just set =2.3.2 in the > ebuild. That required forgoing claiming ruby32 compat because the > deckar01-task_list-2.3.2 in ::gentoo has USE_RUBY only up through ruby31. From a maintenance point of view we prefer to avoid dependencies on specific versions in general, but to facilitate this security issue I've also added ruby32 to the old deckar01-task_list ebuild. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec28e1443716cb1a614eef933d6e495b73dce88b commit ec28e1443716cb1a614eef933d6e495b73dce88b Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2023-11-09 22:29:33 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2024-01-07 00:19:37 +0000 www-apps/redmine: add 5.0.6 Add ruby 3.2 support, EAPI 8. Bug: https://bugs.gentoo.org/916900 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-apps/redmine/Manifest | 1 + www-apps/redmine/redmine-5.0.6.ebuild | 255 ++++++++++++++++++++++++++++++++++ 2 files changed, 256 insertions(+) Thanks! |